Managing Azure VM Hybrid Use Benefit Configuration Using Azure Policy

The Azure Policy is a great tool to manage your standards and policies within your Azure subscriptions. In addition to the built-in policies from the Azure Portal, the product team also provides a public GitHub repository to share custom policy definitions to the community.

At the time of writing this post, there are already 2 policy definitions in this GitHub repo for managing the Hybrid Use Benefit (BYO license) for Windows VMs:

These 2 policy definitions are maturely exclusive.

If you apply the Enforce policy, you will not be able to create a VM if you have not enabled Hybrid Use Benefit as shown below:


At the summary page of the wizard, you will receive an error:


On the other hand, if you have apply the Deny Hybrid Use Benefit policy, you will also get an validation error if you have enabled Hybrid Use Benefit:


These two policy definitions are great, but to me, none of them meets my requirements. I don’t want to educate my users on what settings should they use, and throwing an error at the summary page of the wizard is not very user friendly. I want my users to not worry about this setting, and automatically enable Hybrid Use Benefit for Windows server VMs. Therefore I created new custom definition based on the above mentioned 2 existing definitions to append Hybrid Use Benefit for a Windows Server VM (automatically enable it):

This policy will automatically enable Hybrid Use Benefit for Windows Server VMs if it is not enabled during the creation of the VM.

Unfortunately, I don’t believe (and please correct me if I am wrong) there is a way to automatically remove the Hybrid Use Benefit setting from a VM if it is enabled using Azure Policy. According to the Azure Policy definition documentation (, the possible effects are: Deny, Audit, Append, AuditIfNotExists and DeployIfNotExists. There is no possible effects to remove a value if it exists


  1. Excellent write-up – we’re about to test this in our environment.
    Question – in terms of removing this policy, or reversing it, given that when a server does not have the Hybrid benefits enabled, it’s ‘licenseType’ property is blank (nulled), could we perhaps change the Policy Definition to below:

    “then”: {
    “effect”: “append”,
    “details”: [
    “field”: “Microsoft.Compute/licenseType”,
    “value”: “$null”

    We will also be testing this in our environment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: